XEngine: A Fast and ScalableXACML Policy Evaluation Engine
Fei Chen
Dept. of Computer Science and Engineering
Michigan State University
Joint work with
Alex X. Liu, JeeHyun Hwang, Tao Xie
• Introduction and Motivation• Three Key Ideas• XACML Policy Numericalization• XACML Policy Normalization• Correctness• Experimental Results• Conclusion
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
2/29
Roadmap
Introduction
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
3/29
Subject(processes, machines, …)
Resources(programs, file, …)
Action(execute, read, …)
Applications
Services/Middleware
Operating System
Hardware
Access control mechanisms
XACML (de facto standard)eXtensible Access Control Markup Language
• XML language
• Powerful evaluation logic
• Extensible and flexible
Motivation
• Check whether a request satisfies a policy or not and return the decision.
• Performance is critical.– Cost per request millions of requests per minute (amazon)
– Size and complexity
processing time
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
4/29
XACMLPolicy Evaluation
Engine
XACML Policy
XACMLRequest Decision
Prior work• No prior work focuses on optimizing performance of
XACML policy evaluation• Most work of XACML focuses on XACML policy analysis
and verification• Sun PDP (policy decision point) is an implementation of
standard XACML evaluation engine• We proposed XEngine
– Orders of magnitude faster than Sun PDP– More rules more orders of magnitude
• Hundreds of rules, two orders of magnitude faster than Sun PDP
• Thousands of rules, four orders of magnitude faster than Sun PDP
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
5/29
• Introduction and Motivation• Example and Three Key Ideas• XACML Policy Numericalization• XACML Policy Normalization• Correctness• Experimental Results• Conclusion
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
6/29
Roadmap
Example
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
7/29
<PolicySet PolicySetId="n" PolicyCombiningAlgId="Permit-Overrides"> <Target/> <Policy PolicyId="n1" RuleCombinationAlgId="Deny-Overrides"> <Target/> <Rule RuleId=“1" Effect="Deny"> <Target> <Subjects><Subject> Student </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource></Resources> <Actions><Action> Change </Action></Actions> </Target> </Rule> <Rule RuleId=“2" Effect="Permit"> <Target> <Subjects><Subject> Professor </Subject> <Subject> Lecturer </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource> <Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy> <Policy PolicyId="n2" RuleCombinationAlgId="First-Applicable"> <Target/> <Rule RuleId=“3" Effect="Permit"> <Target> <Subjects><Subject> Student </Subject></Subjects> <Resources><Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy></PolicySet>
Rule 1: A student or secretary can not change grades.
Deny
Permit
Decision
Three Key Ideas
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
8/29
• XACML policy numericalization– String values Numerical values
• XACML policy normalization– Recusive structure Flat structure– Multiple complex conflict resolution mechanisms
one conflict resolution mechanism
• XACML policy evaluation– Use a tree structure to efficiently process requests.
• Introduction and Motivation• Example and Three Key Ideas• XACML Policy Numericalization• XACML Policy Normalization• Correctness• Experimental Results• Conclusion
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
9/29
Roadmap
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
10/29
XACML Policy Numericalization• Map each distinct value of the
attribute to a distinct integer
<PolicySet PolicySetId="n" PolicyCombiningAlgId="Permit-Overrides"> <Target/> <Policy PolicyId="n1" RuleCombinationAlgId="Deny-Overrides"> <Target/> <Rule RuleId=“1" Effect="Deny"> <Target> <Subjects><Subject> Student </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource></Resources> <Actions><Action> Change </Action></Actions> </Target> </Rule> <Rule RuleId=“2" Effect="Permit"> <Target> <Subjects><Subject> Professor </Subject> <Subject> Lecturer </Subject> <Subject> Secretary </Subject></Subjects> <Resources><Resource> Grades </Resource> <Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy> <Policy PolicyId="n2" RuleCombinationAlgId="First-Applicable"> <Target/> <Rule RuleId=“3" Effect="Permit"> <Target> <Subjects><Subject> Student </Subject></Subjects> <Resources><Resource> Records </Resource></Resources> <Actions><Action> Change </Action> <Action> Read </Action></Actions> </Target> </Rule> </Policy></PolicySet>
Subject Resource Action
Student: 0Secretary: 1Professor: 2Leturer: 3
Grades: 0Records: 1
Change: 0Read: 1
permitARSR ]1,0[]1,1[]0,0[:3
permitARSR ]1,0[ ]1,0[ ]3,1[ :2
denyARSR ]0,0[]0,0[]1,0[:1
• Introduction and Motivation• Example and Three Key Ideas• XACML Policy Numericalization• XACML Policy Normalization• Correctness• Experimental Results• Conclusion
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
11/29
Roadmap
XACML Policy Normalization: Challenges
• Four rule/policy combining algorithms– First-Applicable
– Only-One-Applicable
– Permit-Overrides
– Deny-Overrides
• Recursive structure
• Multi-valued request
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang,
Xie12/29
First-Applicable
Flat structure
Decompose to multiple single-valued requests
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
13/29
Recursive Structure
• Model an XACML policy as a tree• Store combining algorithm and target of the policy or
policy set
R1 R2
[1,3]
Permit-Overrides
Target t1
[1,2]
Deny-Overrides
Target t2
[3,3]
First-Applicable
Target t3
Permit-Overrides
Deny-Overrides
First-Applicable
R1 → deny R2 → permit
R3 → deny
R3
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
14/29
Scattered Predicates
R1 R2
[1,3]
Permit-Overrides
Target t1
[1,2]
Deny-Overrides
Target t2
[3,3]
First-Applicable
Target t3
R3
t1 : [1, 6]
t3 : [0, 4]
tR3: [3, 5]
[3, 4]
Λ
Λ
Target t1
Target t3
R3
Replace target of R3 by t1Λt3ΛtR3
Complex XACML Functions
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
15/29
Predicate Λ f()→permit
Predicate→(if f() then permit)
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
16/29
Multi-valued Rules/Requests
• Multi-valued RulesSubject: A person who is both a professor and a student”
professor&student distinct value
• Multi-valued RequestsA person who is
both a professor and a student wants to assign grades
A professor wants … A student wants …
{Ri1, Ri2, …} {Rj1, Rj2, …}
Decision
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
17/29
Complex Rule/Policy Combining Alg• First-Applicable
– Concatenate rule sequences of normalized policies.
• Only-One-Applicable– Check whether two rules from two sequences are overlapped.
• Permit-Overrides or Deny-Overrides– Use policy decision diagram (PDD) to convert all-match rules to
first-match rules.
permitARSR
denyARSR
]1,0[ ]1,0[ ]3,1[ :
]0,0[]0,0[]1,0[:
2
1
[0, 0] [2, 3]S
[0, 0]
[0, 1]
[0, 1]
[0, 0]
[1, 1]
[1, 1] [0, 1]
[R1]d, [R2]p [R2]p[R1]d
[0, 0]
[0, 0]
[1, 1]
[R2]p [R2]p
R R R
A A A A
Complex Rule/Policy Combining Alg
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
18/29
deny deny
deny
Professor [ [R1]deny, [R4]permit ]permit Student [ [R3]deny, [R2]permit ]permit
Q1 R1, R4
Q2 R2, R3
permit
permit
A person who is both a professor and a student
wants to assign grades
A professor wants …
A student wants …
Q1 :
Q2 :
R1: Professor→deny R2: Student→permit R4: Professor→permitR3: Student→deny
[1,4]
Permit-Overrides
[1,2]
First-Applicable
V1
V3V2 [3,4]
First-Applicable
×
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
19/29
XACML Policy Evaluation (1/2)
• The Decision Diagram Approach– A final sequence of first-match rules A PDDPDD.
[0, 0] [2, 3]S
R R[1, 1] [0, 0]
[0, 1]
[0, 1]R
A A[0, 0]
A A
[1, 1]
[1, 1]
[1, 1] [0, 1][0, 1]
A[0, 0] [1, 1]
[0, 0]
[R1]d [R-1]na [R3]p [[R1]d, [R2]p] d [R2]p [R2]p [R2]p
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
20/29
XACML Policy Evaluation (2/2)
• The Forwarding Table Approach– d-dimensional PDD d forwarding tables
0 0
1 1
2 2
3 2
T1
T2
0 1 2
0 0 2 4
1 1 3 4
0 1 2 3 4
0 [R1]d [R3]p [ [R1]d, [R2]p ] d [R2]p [R2]p
1 [R-1]na [R3]p [R2]p [R2]p [R2]p
T3
A request
• Introduction and Motivation• Example and Three Key Ideas• XACML Policy Numericalization• XACML Policy Normalization• Correctness• Experimental Results• Conclusion
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
20/29
Roadmap
Correctness
• We proved the correctness of XEngine– Lemmas, Theorems
• Experimental results are the same as Sun PDP
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
21/29
System Overview
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
23/29
PolicyNumericalization& Normalization
NumericalizationTable
First-machRange Rules
XACML Policy
StructureTree
XACMLRequest DecisionRequest
Numericalization +Decision Diagrams
Forwarding Tables
Evaluation Engine
• Introduction and Motivation• Example and Three Key Ideas• XACML Policy Numericalization• XACML Policy Normalization• Correctness• Experimental Results• Conclusion
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
24/29
Roadmap
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
25/29
Experimental Results (1/3)
• Preprocessing time of XEngine– Only 6 seconds for an synthetic XACML policy with 4000 rules
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
26/29
Experimental Results (2/3)• For real-life XACML policies (100,000 requests)
– Forwarding table approach is 117 times faster than Sun PDP– PDD approach is 75 times faster than Sun PDP
(Log scale)
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
27/29
Experimental Results (3/3)• For synthetic XACML policies(100,000 requests)
– Under 400, 2000 and 4000 rules• Forwarding table is 3594, 18643, 34408 times faster than Sun PDP.• PDD approach is 1405, 6210, 10873 times faster than Sun PDP.• Performance difference grows almost linearly with the number of rules.
(Log scale)
Concluding Remarks
• We presented a series of algorithms to convert an XACML policy to a decision diagram (or forwarding tables)
• We proposed a series of algorithms to process requests.
• XEngine is effective on both real-life and synthetic XACML policies
– It is orders of magnitude faster than the widely deployed Sun PDP
XEngine: A Fast and Scalable XACML Policy Evaluation Engine Liu, Chen, Hwang, Xie
28/29